The usage of info-stealers by malicious hackers has recently gained momentum in the cyber threat landscape. AveMaria, one such info-stealer, has been modifying tactics in order to infect more users. Zscaler researchers provided an in-depth analysis of the changes implemented as well as new tactics, techniques, and procedures that characterise an AveMaria attack.
Recent discoveries
Over the last six months, the operators behind the info-stealer have significantly improved the execution stages in order to infect more users.
The majority of these attacks were launched via phishing emails, with the first one discovered in August 2022.
The phishing emails, which included an ISO file attachment, three decoy documents, and four shortcut files, were sent to Ukrainian officials.
Experts discovered two versions of the AveMaria attack chain in December 2022, which used the Virtual Hard Disk file format to drop the malicious downloader. In one scenario, adversaries utilised a malicious.vhdx file to install the malware; in another, they utilised type casting or type conversion mechanisms (to manipulate bit values) and dropped a.vhd file as the initial payload.
The malicious payload was delivered via AUloader in October 2022. To decrypt the AveMaria binary in memory and then execute the payload, the phishing campaign utilised a highly obfuscated Autoit script and Autoit interpreter.
To avoid detection in September 2022, VBscript and DLL injection techniques were used during the execution stages. The campaign specifically targeted Serbian users, requesting that they update their login credentials for access to the government e-identification portal.
Researchers emphasise that the AveMaria malware's developers are actively maintaining the malware and updating the phases and stages of execution with new tactics to avoid detection. The malware distribution mechanisms were changed on a monthly basis so that even if one mechanism was flagged by security operators, the other could still be used effectively.
Because these attacks were primarily launched via phishing emails, organisations should implement a better email security solution to thwart such threats in the early stages. Furthermore, they can use the IOCs provided by Zscaler to comprehend the full scope of the attack chains.